Training and certification services provide your team with the knowledge and skills they need to design effective security strategies, utilize Thales e-Security products with confidence, and maximize the ROI in data protection solutions.

nShield Edge

Secure, portable, and flexible USB-attached HSM

nShield Edge from Thales e-Security is a USB-connected hardware security module (HSM) that enables organizations to implement high assurance cryptography in a cost-effective way. Portability and USB connectivity make nShield Edge especially suitable for use with laptops and in workstation or desktop environments. This compact yet full-featured HSM with its integrated smart card reader is perfectly suited to situations with limited space or where HSMs are used only occasionally. Fully supporting the Security World key management architecture, nShield Edge provides an ideal blend of high assurance and operational ease. This makes it easier for you to define and enforce security policies such as dual controls while also automating burdensome and risk-prone administrative tasks.

nShield Edge is fully compatible with the rest of the nShield HSM family, enabling mixed deployments and easy migration as performance requirements increase. This independently certified security platform performs key management and cryptographic operations such as encryption and digital signing on behalf of a wide range of commercial and custom-built business applications and critical security systems including offline certificate authorities (CAs) for public key infrastructures (PKIs), code signing, and remote HSM management. The security boundary of nShield Edge is certified up to FIPS 140-2 Level 3.

nShield Edge Features

Security Features

The primary purpose of a hardware security module (HSM) is to provide enhanced security for cryptographic operations that would otherwise be performed by software applications, operating systems, or unprotected server hardware—the majority of which are vulnerable to eavesdropping, misconfiguration, or modification. This additional protection arises from the use of a number of proven technologies that combine in a multi-layered approach. Some of those technologies include:

Physical security measures

A dedicated, portable device that isolates cryptographic processes and keys from applications and host operating systems—accessible only through tightly controlled cryptographic APIs.

Custom built hardware to guard against physical attack including the use of epoxy potting to shield internal circuitry from attack by probing and security labels to expose attempts to tamper with the device.

Monitoring of environmental conditions including the integrity of power supplies and temperature to detect potential attack.

Logical security measures

All administrators and users that directly access the HSM are strongly and individually authenticated using smart cards that are issued and managed by the HSM itself—avoiding the need to rely on weak and often shared passwords managed within other systems or exposed to other applications.

Clear separation of duties that distinguish between HSM administrators and key custodians that approve the use of HSM protected keys in contrast to software based systems where application ‘super-users’ or root level administrators might enjoy widespread entitlements.

Dual controls where multiple administrators or operators might be required to operate as a quorum to perform particularly sensitive tasks such as key recovery. This approach to mutual supervision is common as a way to minimize the threat of malicious insiders and is highly configurable and strongly enforced within the HSM.

Operational Features

In the past, high-security features tended to be cumbersome, adding effort and affecting performance. As a result, administrators were forced to make unfortunate tradeoffs between security on the one hand and performance and efficiency on the other. The nShield family of HSMs, with its Security World key management architecture, delivers both security and convenience by automating a number of important key management tasks and removing restrictions that would otherwise limit capacity or performance. These include:

The power to utilize existing data backup, replication and file sharing practices to safely and automatically perform application key sharing, distribution, and back up—dramatically simplifying HSM deployment and management tasks by minimizing the need to establish costly HSM specific practices.

Standard application interfaces to support the widest range of applications and systems and an extensive pre-testing program with leading application vendors to minimize deployment risk.

nShield Edge Options

The nShield Edge is available in FIPS 140-2 Level 2 and FIPS 140-2 Level 3 variants. A non-FIPS Developer Edition is also offered, providing a low-cost mechanism for engineers to develop applications that will ultimately be deployed on FIPS-certified nShield Solo or Connect devices, and where the higher performance of those devices is not required in a development environment.

With the CipherTools Developer Toolkit, you can take full advantage of the advanced capabilities offered by the nShield HSM family as you integrate HSMs with your applications. It includes detailed tutorials and reference documentation, sample programs written in a range of high level languages, and additional versions of libraries to expand capabilities for integration with business applications beyond those that can be achieved by the standard application program interfaces (APIs).

nShield HSMs offer a large number of cryptographic algorithms as part of the standard feature set, including AES, DSA and RSA. Organizations who want to take advantage of the next-generation elliptic curve algorithms can enhance their HSMs by adding the Elliptic Curve (ECC) Activation. While all nShield HSMs can process elliptic curve cryptography with this option pack, users of the nShield 500 PCI cards will additionally benefit from hardware acceleration.

HSMs typically run in physically secure, lights-out data centers, often in several redundant sites. Many organizations therefore find it impractical to gain physical access to the HSM for day-to-day operations. Remote Operator saves time and reduces travel costs by enabling users to present credentials to a remote HSM in a secure manner directly from their workstation.

Highly sensitive areas of government and enterprises with a strong interest in national security sometimes prefer to use proprietary, national cryptographic algorithms to protect their most sensitive information. Given these security concerns, it is advantageous to run such algorithms on a secure HSM platform. KCDSA Activation enables South Korean agencies to use the Korean Certificate-based Digital Signature Algorithm (KCDSA) on an nShield HSM.